WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Statistically speaking, it is
possible for there to be multiple documents whose hashes are the same,
since you are identifying a potentially large item (a document) by a
smaller key value.

Fortunately, it is also unlikely
that two documents with the same hash value both make sense  one
is likely to be a series of random characters that just happens to result
in the same hash value, or sum. It would be obvious to
the user upon seeing the document, that something is wrong with it.
It is considered computationally infeasible to modify the content
of a message or program while retaining the same sum, and have the modified
content be a reasonable replacement for the original, rather than obviously
invalid gibberish. Its not necessarily impossible to do this,
but with most hashing algorithms, it would take a prohibitively large
amount of time to find another plausible document with the same hash
value. For some information on duplicate hash value related issues
in MD5, see this informational page on MD5.389

Often, but not universally, the longer
the hash value produced by the hashing algorithm (assuming it is a mathematically-good
algorithm from a crypto standpoint), the less susceptible it is to this
sort of attack. This is one of the reasons that the SHA-1 hashing algorithm
is considered by some to be stronger than MD5. As we mentioned earlier,
the SHA-1 algorithm produces a 160-bit message digest, while the MD5
algorithms message digest is only 128-bits. To account for increased
computer processing speeds, even stronger versions of the SHA, which
produce message digests of 256 or more bits, have recently been standardized.390 Another hashing algorithm you may encounter in
your digital travels is RIPEMD-160, considered to be on a par with SHA-1.

Figure 38: There is not enough data in a hash to determine what the original data contained.

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!